[searockruz]

I think it should be included since programmers have to complete the product before the deadline arises.Then search for latest security threats
and if conflicts with the security issue change the logic again !

[i am not sure if this post suites this section ]

This post has been edited by searockruz: 01 April 2009 - 09:56 PM

[Tom9729]

If security is going to be a serious priority then it should be a part of the original design, not tacked on later.

I don't think there should be a "hacking" forum. It would draw too many people either 1) asking for someone to hack for them or 2) asking us to security audit their applications.

[firebolt]

ahh... how ethical??

[searockruz]

yeah even i think the same about hacking forums.Its the place where newbies start to learn hacking.Web hosters and blog hosters should strictly ban such sites from their servers.

This post has been edited by searockruz: 02 April 2009 - 01:31 AM

[baavgai]

I actually took this class. Mostly covered script kiddie stuff, unfortunately; I wanted more.

The problem, from a developer's perspective, is that security is just another layer of hassle. Worse, it's a layer that no one really knows is there; it just usually takes extra time. Worse still, if you implement security too soon, it can throw up unintended roadblocks during development.

Everyone who makes software should have a reasonable idea of how a user can break it. Security is about how malicious people think to intentionally exploit it, which is slightly different. Many of the less secure methods are simply easier to write (gets v. fgets, SQL with string concat, etc.) and it helps know have a good understanding of why you shouldn't.

I have used hacking, technically exploitation, techniques to show customers why their system needs fixing. I have sat in meeting where sales suits swear on their mother's grave that their system doesn't have issues. I have been forced to reveal common issues in all their ugliness. ( I don't get invited to meetings often. )

Curiously, I recently used a password cracker to retrieve login credentials that were unknown be still being used by a number of processes. If I hadn't, many man hours would have been wasted.

Some security geek may tell you FTP is insecure. but it doesn't seem to really sink in until you see the plain text passwords flying by.

[searockruz]

yeah but programmers need to be aware of basic security such as Sql Injection,brute force cross scripting ets in pratical terms rather than therotical

[firebolt]

Its a hard question to ask and it should be 50 - 50 but i;ll lean towards yes as unwanted things happen in the computing world and most of us should know whats going on. I mean like some illegal torrent giant could be working on their program right now and we're just sitting here.

[KYA]

In order to beat a bad guy, you have to think like a bad guy. There are already "ethical" ways of security testing, most notably penetration testing.

[searockruz]

@Kya

I totally agree with you.

@firebolt
this people come up with their illegal activites since we dont have a strict IT Laws.
Suppose someone on the street is advertising for illegal arms training,what do the cops do?....
and if theres a site teaching hacking,what do the people and cops do ? just simply ignore it !

[firebolt]

@ searockruz:

Ye i see what your saying and it is true. Anyways, most of us dont care or dont know whats going on behind the scenes.

[BigAnt]

I am teh 1337 eThIcAl HaCkEr Now bow before me!!!!!!!

[NickDMax]

..I don't understand the question. Include "Ethical Hacking" as well as programming languages in what? Your question is incomplete and not logical.

Choosing a new programming languages does not security make. Programs do what programmers tell them to, and if the programmer is unconcerned with security there is little that the language can do to help.

Building security as a feature of a software product is like any other feature -- it has to be tested. That testing is not "ethical hacking" -- it is software testing. Sometimes people like to call it "white hat hacking" or "ethical hacking" because they like the association with "hacking" but they are just specialized software testers. -- but whether or not it should be included in the testing is not a moral question -- it HAS to be tested, its part of the development process.

Personally I don't think security ever takes a break. There is only so much that you can test for. So I think organizations with major software products that might carry sensitive information should offer rewards for the discovery of vulnerabilities (so long as the discovery of such a vulnerability did not violate the law).

I do not think that every Tom-Dick-and-harry programmer should have to test their software to see if it contains exploitable code. I do think they have a responsibility to fix it if it is found (if they are aware of it). Well even here I think it depends upon the situation. I just feel that programmers should feel a sense of responsibility to protect data and protect their users.

[searockruz]

@Big Ant
Live long your Majesty
You are the best Ethical hacker in .....innn....What was i suppose to say?
just joking don't take it seriously


@NickDMax
i didn't mean of creating a new language which includes security features
my question is perfect and up to the point
my question is should ethical hacking be taught with other programing languages?
well many of the colleges do teach it,but only till theoretical basis!
just theory and no practical knowledge is useless.
but some times i feel there no school who teaches how to create viruses.
then too there are so many viruses and worms.
I just wonder how bad the situation will be if 50% of the programmers start making viruses
after learning it from the colleges

[archangelzero6]

@ all
I agree with the fact that we need to have "Ethical Hacking" as Best Buy or Wal-Mart have "Loss-Prevention". The whole point of ethical hacking is to prevent the misuse or exploitation of any flaws within the program. This I believe is key. every programmer at some point has to think along the lines of "who" and "how". When that comes into play, and it will at some point, then it is up to you "the programmer" to decide how to protect your code.

That my friends, that is totally up to you. As to the term "Ethical Hacker", use it as liberally as you like. It is up to you as to how you will use the term, and your knowledge. However you play your "Ethics" into your code, that is up to you. That is just my 2 cents. Have fun

[no2pencil]

In my opinion there is no such thing as Ethical Hacking, so it should not be taught in schools.

This is how I see it:

1.) You either build secure software or you write shitty code
2.) There is no ethical hacking. You are either bypassing security or you are not.
3.) A school should not teach how to bypass restrictions or security

Regardless of the reasoning, the 1st students to sign up for this class are going to be the ones whom want to learn it for malicious purposes. You are either building secure sites or not. I agree with KYA to a point. To understand how to protect your software, you need to understand how they can get it. However, I would disagree with a school curriculum that included teaching hacking from a forward approach, in order to reverse that into a secure approach. As well, each employer has their own idea of what secure it. Case in point. Forcing someone to change their password every (said amount) of days isn't secure. If you have the password restrictions too high, the users eventually write the password down, thus nulling the purpose of having a password. However, the flip side to that is that the security admins can say "Well we put rules in place that secured our system, so we are not to blame".

& as far as software security, build a fault tolerant system. Teaching someone how to perform mysql injection is irrelevant. They should testing the input values regardless. An email address should always contain a username, an @, a domain, a dot, & a top level domain. You are either correctly verifying this or not.

I've always found that someone looking to secure their site (or software) is reading their logs & being proactive. Anyone that wants to learn how to be malicious asks about Ethical Hacking or how to secure their site that they usually have not even created yet.